aegilops :github::microsoft: · @aegilops
150 followers · 582 posts · Server fosstodon.orgI've wrapped up SpotBugs/FindSecBugs in a bow 🎁 in a GitHub Action, so you can use it in GitHub Code Scanning - free for open source projects, and also available for paid users of GitHub Advanced Security.
SpotBugs and FindSecBugs work with JVM languages - Scala, Java, and Clojure, mainly.
https://github.com/marketplace/actions/spotbugs-with-findsecbugs
Point it at the results of the build, and go.
#GitHub #SAST #Scala #JVM #Clojure #Java #CodeSecurity #SpotBugs #FindSecBugs #DevSecOps #SDLC
#github #sast #scala #jvm #clojure #java #codesecurity #spotbugs #findsecbugs #devsecops #sdlc
aegilops :github::microsoft: · @aegilops
147 followers · 566 posts · Server fosstodon.org@ovid and other Perl :perl: mongers. What, if anything, do you use for code security?
I know that using taint gets you far, but SAST is mostly what I’m thinking (especially for legacy code without taint). Any tips?
Does Perl::Critic do a decent job, and is there a list of what its security policy and 3rd party plug-ins cover?
Other OS SAST I found are: https://github.com/htrgouvea/zarn and this grep-based one: https://github.com/wireghoul/graudit
Are they OK?
#sast #perl #appsec #codesecurity #perlcritic
JM ☠️ · @jmamblat
299 followers · 159 posts · Server infosec.exchange
Security Audit of #git
https://x41-dsec.de/security/research/news/2023/01/17/git-security-audit-ostif/
#infosec #cybersecurity #blueteam #codesecurity #sdlc
#git #infosec #cybersecurity #blueteam #codesecurity #sdlc
aegilops :github::microsoft: · @aegilops
94 followers · 315 posts · Server fosstodon.org
"In Scorecard we trust"
:github: README posted on the Open Source Security Foundation (OoenSSF) Scorecard project to gauge levels of security in code repos:
https://github.com/readme/guides/software-supply-chain-security
#ReadMe #OpenSSF #GitHub #ScoreCard #CodeSecurity #SupplyChain
#readme #OpenSSF #github #scorecard #codesecurity #supplychain
Sam Morreel · @smorreel
53 followers · 103 posts · Server saasycloud.socialI had a customer for which I performed a #codesecurity review on a #web based #DOTNET/C#/Razor #MVC app.
There was blatant disregard in the #code for basic 101 #SQL injection #vulnerabilities. The customer's senior (supposedly) #developer responded with:
"oh, that's low risk, it's only an internal app. "
Yikers!
#codesecurity #web #dotnet #code #sql #vulnerabilities #developer #mvc